Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Top command causing issues with stats commands

alaking
Explorer
‎10-30-2015 11:34 PM

I am trying to audit bandwidth usage. The following search works as expected, except the URLS flood the URL field. I want the top 5:

Search here
| stats list(url) as URL sum(sent) as SentTotal sum(received) as ReceivedTotal by user
| eval Transferred=ReceivedTotal+SentTotal
| table user URL SentTotal ReceivedTotal Transferred
| sort -ReceivedTotal, -SentTotal 
| head 10

When I try to limit the domains listed using "top" like this:

Search here
| top limit=5 url by user
| stats list(url) as URL sum(sent) as SentTotal sum(received) as ReceivedTotal by user
| eval Transferred=ReceivedTotal+SentTotal
| table user URL SentTotal ReceivedTotal Transferred
| sort -ReceivedTotal, -SentTotal 
| head 10

The URL list is limited to 5 results per row, the problem is my sent/received/transferred fields go blank. And when I try putting top further down like this:

| stats list(url) as URL sum(sent) as SentTotal sum(received) as ReceivedTotal by user
| top limit=5 url by user
| eval Transferred=ReceivedTotal+SentTotal
| table user URL SentTotal ReceivedTotal Transferred
| sort -ReceivedTotal, -SentTotal 
| head 10

I get "No results found."

I am using Verbose mode and in every instance, I can see events on the events tab of the search window. I'm wondering if I am using top incorrectly.
Thanks is advance for reading and for any help you can provide.

0 Karma
Reply

acharlieh
Influencer
‎10-31-2015 05:20 AM

This sounds like a job for the still undocumented multireport offhand something like this:

... | multireport 
         [top limit=5 url by user]
         [stats sum(sent) as SentTotal sum(received) as ReceivedTotal by user]
    | stats list(url) as URL values(*Total) as *Total by user
    | eval Transferred=ReceivedTotal+SentTotal
    | table user URL SentTotal ReceivedTotal Transferred
    | sort 10 -Transferred

So what's going on? Using multireport we generate statistics for your two transforming commands separately, we then pull the results back together using stats, and go on our merry way.

I should note that you can use trickery with appendpipe, eval, and where to get similar results without venturing into the undocumented parts of Splunk too it's just more verbose.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...